FBI needs to show its Kaspersky cards or fold

Share

Written by

The FBI, in conjunction with other U.S. intelligence agencies, is making the case that Kaspersky has Russian intelligence ties and its products can’t be trusted. CyberScoop broke the story that the bureau has been briefing additional intelligence to U.S. companies using Kaspersky products, warning them to stop.

To date, the intelligence the FBI is briefing Kaspersky users on has not been made part of the public debate. It needs to be as soon as possible.

On Capitol Hill, Sen. Jeanne Shaheen, D-N.H., is moving to block the use of Kaspersky products in Defense Department networks. She laid out her rationale for this move in the New York Times on Monday. Shaheen makes the same tired and weak argument that Kaspersky has Russian intelligence ties and that classified assessments would allay any public doubts.

The entirety of the public evidence against Kaspersky boils down to the fact that company founder and CEO Eugene Kaspersky has connections to Russian intelligence, and that the company has cooperated with Russian government agencies to develop security products for them.

Whether it’s Shaheen or the FBI, the government can’t argue that it’s protecting sources and methods. If they are correct about Kaspersky, Russian intelligence already knows what they know.

It has been well-known that Kaspersky was trained by Russian intelligence and served with them for some time before starting his company. But this alone cannot be the standard of proof for “influence from Russian intelligence.” A large number of US companies (mine included) would meet this standard for “influence” by US intelligence.

Antivirus software is immensely powerful in its ability to monitor a system and share data with the antivirus company. It is wise to consider the negative potential impacts if the antivirus company operates in the interests of their host country’s intelligence agencies rather than their customers. This is as true for Kaspersky as it is for any other vendor.

As written in a Wired op-ed published this past weekend, a U.S. government ban on Kaspersky software could rapidly cause a domino effect on other technology firms worldwide. While I agree that the software should not be banned, I think the op-ed’s recommendations are short-sighted.

The op-ed urges building a software auditing center for Kaspersky, similar to what Chinese telecom manufacturer Huawei did to satisfy the UK government’s concerns over their products’ security. But even Shaheen understands the folly in this course of action. She correctly notes that whether or not Kaspersky has a backdoor in their software today, it still represents a risk because of the enormous access that antivirus software has, and the way it’s regularly updated. I’ve written previously about some of the many reasons why a software audit won’t ensure security for Kaspersky users and nothing’s changed my mind since.

It has been reported that one of the pieces of “evidence” against Kaspersky is that they inappropriately exfiltrate files from customer environments. It is entirely possible that this is benign behavior as part of Kaspersky’s cloud analytics program, but for this discussion, let’s take the claim at face value and assume maximum malice.

From their software installations, Kaspersky could be monitoring emails, webmail exchanges, and other documents being shared. The FBI is specifically briefing organizations that use Kaspersky products, so all of the companies briefed would be subject to monitoring from Kaspersky. The briefings from the FBI are certainly scheduled. Even if the FBI tells the organizations not to talk about the upcoming briefing over email or other electronic messaging, human nature — especially in organizations that do not have a security culture — virtually guarantees that some percentage of them inevitably do.

If Kaspersky is what the FBI claims it is, they have certainly intercepted these communications and shared them with Russian intelligence.

And, after the briefings from the FBI; when organizations are considering switching antivirus products, the merits of the bureau’s arguments are certainly being discussed in channels that Kaspersky could monitor. Switching antivirus providers is no small investment in time and software costs and it is a decision that is not taken lightly by any organization. The quality of the arguments put forth by the FBI would doubtless be discussed by IT, information security, procurement, and management personnel. Until Kaspersky is replaced in the organization’s network, they are again in a position to intercept this data and share it with Russian intelligence.

It is easy then to make the case that those being briefed by the FBI are discussing the facts of the Kaspersky case. It is also clear that Kaspersky would be in a position to monitor these discussions and report them to Russian intelligence. The Russian government is doubtlessly interested to know what information the FBI is briefing U.S. organizations about a Russian company. If Kaspersky can be influenced by Russian intelligence (as the public claims by the FBI imply) then we can only conclude that Kaspersky (and the Russian government) already know what the FBI is briefing.

Protection of intelligence sources and methods is the standard reason given for withholding intelligence data from public consumption. But, if Kaspersky and Russian intelligence knows what the FBI is briefing to U.S. companies, there are no sources and methods to protect.

The American public remain the only people unable to make an informed decision about whether or not to use Kaspersky. The FBI needs to educate the American people so they can make an informed decision about Kaspersky.

It’s high time the bureau showed its cards or folded its hand.

Jake Williams is the founder of Rendition InfoSec, a cybersecurity consultancy company, U.S. Army veteran and certified SANS instructor. Jake started his information security career doing classified work with the U.S. government and was awarded the National Security Agency (NSA) Exceptional Civilian Service Award, which is given to fewer than 20 people annually.